Iptables

From Linux-VServer

Problem: The network packet filter, as implemented into Linux kernel, does not provide a concept of "personalties" which allow subsetting a rule set per vserver guest. But by providing guest specific chains, used to direct network packets with source or destination of a given guest, and introducing a mechanism to allow guest to update exclusively this guest specific chain, the outcome is rather similar.